A DNS server for ZeroTier users
It's not DNS.
There's no way it's DNS.
It was DNS.
- This feature is still in beta.
- This will soon be integrated into ZeroTier 2.0, but for now, it is segregated to allow us to iterate quickly.
- Here be Dragons (still).
- When ZeroTier joins a network, it creates a virtual network interface.
- When ZeroTier joins multiple networks, there will be multiple network interfaces.
- When ZeroNSD starts, it binds to a ZeroTier network interface.
- When ZeroTier is joined to multiple networks, it needs multiple ZeroNSDs, one for each interface.
- ZeroNSD will be accessible from the node it is running on.
- ZeroNSD will be accessible from other nodes on the ZeroTier network.
- ZeroNSD will be isolated from other networks the node might be on.
This Quickstart was written using two machines - one Ubuntu virtual machine on Digital Ocean, and one OSX laptop on a residential ISP. To follow along step by step, you'll need to provision equivalent infrastructure. If you use different platforms, you should be able to figure out what to do with minimal effort.
#Create a ZeroTier Network
You may do this manually through the ZeroTier Central WebUI,
ZeroTier must be installed and joined to the network you intend to provide DNS service to.
The following should work from the CLI on most platforms. Windows users
may download the MSI from the ZeroTier Downloads page. For
the remainder of this document, please replace the example network
af78bf94364e2035 with a network ID your own.
#Authorize the Nodes
Authorize the node to the network by clicking the "Auth" button in the
Members section in the
ZeroTier Central WebUI.
#Provision an API Token from ZeroTier Central
Before we begin, we will need to log into my.zerotier.com and create an API token under the Account section. ZeroNSD will use this token to read Network members so it can generate records, as well as update DNS settings.
You will need to stash this in a file for ZeroNSD to read.
#ZeroTier Systemd Manager
zerotier-systemd-manager publishes rpm and deb packages available at https://github.com/zerotier/zerotier-systemd-manager/releases
Finally, restart all the ZeroTier services.
ZeroNSD should only run on one node per network. Latency for DNS really matters, so try to place it as close to the clients as possible.
ZeroNSD publishes rpm, deb, and msi packages, available here.
The latest release is not reflected below. Go to the link above to get a link!
If we don't have packages for your platform, you can still install it with cargo.
For each network you want to serve DNS to, do the following (replace
af78bf94364e2035 with your network ID)
You should be able to ping the laptop via it's DNS name (or any preceding subdomain, since we've set the wildcard flag)
#Update flag settings
In order to change the settings (such as the TLD), do the following (replace
af78bf94364e2035 with your network ID)
Most Linux distributions, by default, do not have per-interface DNS
resolution out of the box. To test DNS queries against ZeroNSD without
zerotier-systemd-manager, find the IP address that ZeroNSD has bound
itself to, and run queries against it explicitly.
Query the DNS server directly with the dig command
The Ubuntu machine can be queried with:
The OSX laptop can be queried with:
Add a line to
/etc/hosts and query again.
Query a domain on the public DNS to verify fall through
dns-sd for DNS resolution. Unfortunately,
dig are broken on OSX.
To check out the system resolver settings, use:
The Ubuntu machine can be queried with
dns-sd -G v4 server.beyond.corp
dns-sd -G v4 zt-3513e8b98d.beyond.corp
The OSX machine be queried with
dns-sd -G v4 laptop.beyond.corp
dns-sd -G v4 zt-eff05def90.beyond.corp
Are you a Windows user?
Does this work out of the box?
Does nslookup behave properly?
Let us know... feedback and pull requests welcome =)
#Serving non-ZeroTier records
NOTE this portion of the document is largely intended for advanced users who want to get more out of
zeronsd will also serve non-zerotier records in two situations: It will forward
/etc/resolv.conf's nameservers on a TLD mismatch. This behavior is similar to
dnsmasq, a popular DNS server on Linux.
Additionally, to serve custom records you can supply the
-f flag with a file in hosts format it will service records from that file under the provided TLD, merged in with the zerotier nodes. Example below.
NOTE: if you followed the steps above, you will want to
systemctl stop zeronsd-<network id>, and
zeronsd unsupervise <network id> your network, before continuing.
Make a file called
hosts and put this in it:
Then, let's start a temporary server for now. We'll just use the
start subcommand of
zeronsd. This will run in the foreground, so start a new terminal or
Finally, we can lookup
cloudflare-dns.beyond.corp to find CloudFlare's DNS server really really fast!